1 .\" Hey, EMACS: -*- nroff -*-
2 .\" First parameter, NAME, should be all caps
3 .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
4 .\" other parameters are allowed: see man(7), man(1)
5 .TH GRML-CRYPT 8 "AUG 9, 2005"
6 .\" Please adjust this date whenever revising the manpage.
8 .\" Some roff macros, for reference:
9 .\" .nh disable hyphenation
10 .\" .hy enable hyphenation
11 .\" .ad l left justify
12 .\" .ad b justify to both left and right margins
13 .\" .nf disable filling
14 .\" .fi enable filling
15 .\" .br insert line break
16 .\" .sp <n> insert n+1 empty lines
17 .\" for manpage-specific macros, see man(7)
19 grml-crypt \- Wrapper arround cryptsetup/losetup/mkfs/mount
22 .RI [OPTIONS] " action " <device/file> " [mountpoint]
25 This manual page documents briefly the
28 .\" TeX users may be more comfortable with the \fB<whatever>\fP and
29 .\" \fI<whatever>\fP escape sequences to invode bold face and italics,
31 \fBgrml-crypt\fP is a program that
32 provides an easy wrapper arround cryptsetup, mkfs, losetup and mount.
33 You could create a loopback mountet crypted filesystem with only one command, but grml-crypt works for normal devices also.
36 .B format <device/file> [mountpoint]
37 This command "formats" a device/file.
38 If the second parameter is not a blockdevice grml-crupt assumes that it should operate in file modus. If the file does not allready exist it will be created with the given size.
39 The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation. If grml-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file allready exist (with -f vor overwriting).
40 Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]
42 .B start <device/file> <mountpoint>
43 This command starts a encrypted device/file and mounts it to the given mountpoint.
44 Commands: [losetup], cryptsetup luksOpen, mount
47 This command stops a encrypted filesystem mountet at mountpoint.
48 Even the loopdevice gets destroyed with this command.
49 Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
51 These program follow the long option style without dashes and
52 short options starting with one dash (`-').
53 A summary of options is included below.
56 Show summary of options.
59 Show what is going on (more v => more output).
61 .B \-s (in MB, default=10)
62 Give the size of loopfilesystem grml-crypt should create.
65 Give the type of the filesystem grml-crypt should create.
66 /sbin/mkfs.<your choosen filesystem> should exist.
69 Read-only mode. The device mapping AND the mountpoint will be made read-only.
70 In format mode only the mountpoint could be made read-only.
73 Insecure initialisation mode
76 Optimized initialisation mode
79 Verifies the password by asking for it twice during creation.
82 Force overwriting and/or disable confirmation dialog.
83 If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg. xfs needs a minimum of 4096 blocks).
86 Additional arguments passed through to mount. Could be like '-o noatime'.
87 .SH CRYPTSETUP FORMAT OPTIONS
89 .B \-S (in bits, default=128)
90 Cipher size used for the encryption. Usually 128, 192 or 256 (but higher maybe also possible)
92 .B \-C (default=aes-cbc-essiv:sha256)
93 Cipher mode, should be aes-plain for pre-2.6.10. Look at /proc/crypto for other ciphers.
95 .B \-I (in seconds, default=1)
96 The number of seconds to spend with PBKDF2 password processing. This time is comsumed for every key operation (format, start).
99 Additional arguments to cryptsetup luksFormat.
100 .SH INITIALISATION MODES
102 .B Default/Secure mode (no -o or -z given)
103 This mode is the default. It should be quite secure.
104 The device/file gets initialised with /dev/urandom. Except with an allready existing file and -f, where NO initialisation will be done (all other modes behave as usual).
106 .B Optimized secure mode (-o)
107 In this mode only the first 2MB of the device/file are initialised with /dev/urandom.
108 The encryption will be initialised and then the whole encrypted device is filled with /dev/zero.
110 .B Insecure mode (-z)
111 In this mode only the first 2MB of the device/file are initialised with /dev/urandom.
114 .B grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp
115 Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp
117 .B grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp
118 Creates /home/user/test.img with 10MB and apply only insecure initialisation rules. Create an ext2 filesystem on it and mount it to /mnt/tmp.
120 .B grml-crypt -f -S 256 -C aes-plain -I 2 -A "--verify-passphrase" -m '-o noatime' -vvv format img /mnt/tmp
121 Reuses the image img with no initialisation. The encryption is established with aes-plain with 256 bit keysize and an iteration time of 2 seconds. Cryptsetup is advised to verify the password by asking for it twice. Mount it to /mnt/tmp with '-o noatime'. And print what is going on (-vvv).
122 .SH ENCRYPT AN USBSTICK
124 .B grml-crypt -t ext2 -z format /dev/external1
125 This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation.
126 You could als give the format action a mountpoint. In this case your crypto-partition gets also mounted on this mountpoint.
128 .B grml-crypt start /dev/external1 /mnt/tmp
129 This command asks you for the right passphrase for your crypto-partition and tries to mount it to /mnt/tmp.
131 .B grml-crypt stop /mnt/tmp
132 This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).
133 .SH ENCRYPTED LOOPFILESYSTEM ON USBSTICK
135 .B mount /mnt/external1
136 To mount your usb-stick on /mnt/external1 (please verify!!).
138 .B grml-crypt -o -t vfat -s 50 /mnt/external1/secure.img /mnt/tmp
139 This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32). The optimized initialisation mode will be used for this file (without -o this could take REALLY LONG).
140 This command _also_ starts your cryptofile and mounts it on /mnt/tmp
142 .B grml-crypt stop /mnt/tmp
143 This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).
145 .B umount /mnt/external1
150 grml-crypt was written by Michael Gebetsroither <gebi@grml.org>.
152 This manual page was written by Michael Gebetsroither <gebi@grml.org>.